CVE-2025-4581
EPSS 0.06%Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
發布日:2025/8/9修改日:2025/12/20
描述
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allow a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web component due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.
受影響套件(2)
- Maven/com.liferay.portal:release.dxp.bom>= 2025.Q1.0, < 2025.Q1.5
- Maven/com.liferay.portal:release.portal.bom>= 7.4.0, <= 7.4.3.132
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |